The recent $1.5 billion heist from the cryptocurrency exchange Bybit has been traced back to a compromised developer machine within the infrastructure of the multisig wallet platform Safe{Wallet}.
According to the CEO of Bybit Ben Zhou, the attack was initiated through a targeted injection of malicious JavaScript into the Safe{Wallet} platform’s infrastructure. This code was specifically designed to execute only under certain conditions, allowing it to remain undetected by typical security measures.
The company shared the conclusions of two investigations conducted by Sygnia and Verichains, linking the hack to the North Korean state-backed hacking outfit Lazarus Group. According to Verichains’ investigation, the malicious code injected into the Safe{Wallet} application was specifically crafted to activate when certain parameters aligned, allowing it to bypass normal defenses. The attack was launched from Safe{Wallet}'s AWS S3 bucket, which had either been leaked or compromised. This allowed the hackers to route Bybit's assets to an attacker-controlled wallet.
According to Sygnia’s findings, two minutes after the malicious transaction was executed and published, new versions of the JavaScript resources were uploaded to Safe{Wallet}'s AWS S3 bucket. The incident was also linked to an updated version of the malicious code, which had been modified days prior to the attack on February 21, 2025.
The attack specifically targeted Bybit’s Ethereum multisig cold wallet, redirecting crypto assets to the hackers’ wallets. Despite initial concerns, Sygnia’s forensic team found no further evidence of compromise within Bybit’s own infrastructure after the breach was detected.
The attack was not only confirmed by Sygnia and Verichains, but also by the Safe Ecosystem Foundation, which operates Safe{Wallet}. In their statement, the foundation revealed that the breach was enabled through access gained from a compromised Safe{Wallet} developer machine. This allowed the hackers to propose a malicious transaction on Bybit’s platform.
“The forensic review into the targeted attack by the Lazarus Group on Bybit concluded that this attack targeted to the Bybit Safe was achieved through a compromised machine of a Safe{Wallet} developer resulting in the proposal of a disguised malicious transaction,” the Safe Ecosystem Foundation said.
In response to the attack, the Safe{Wallet} team has since restored the platform’s infrastructure on the Ethereum mainnet, removing the native Ledger integration temporarily and reconfiguring all systems to ensure the attack vector was closed.
In a Public Service Announcement (PSA) the Federal Bureau of Investigation (FBI) confirmed that North Korea’s Lazarus Group was behind the hack, stating that approximately $1.5 billion worth of virtual assets had been stolen. The FBI detailed how the hackers had intercepted a scheduled transfer of funds from one of Bybit’s cold wallets to a hot wallet, redirecting the cryptocurrency to an address under their control.
Crypto fraud investigator ZachXBT traced the stolen funds to Ethereum addresses that had been involved in past Lazarus Group hacks.
ZachXBT's findings were corroborated by blockchain analysis firms Elliptic and TRM Labs, who also reported that the attackers had taken measures to slow down tracing efforts. Substantial overlaps between the addresses linked to the Bybit hackers and those associated with past North Korean thefts were observed, further indicating Lazarus’ involvement.